Websites using software from vBulletin have been stung by a critical vulnerability that makes it trivial to steal credentials needed to administer site panels.
The flaw in version 3.8.6 of vBulletin makes it possible for anyone with a web browser to infiltrate a forum's back end, where sensitive data about users is often stored …

Wow

And this . . .

Deliberate wide-open back door?

Surely this can't be any kind of bug, more an intentional back door? It's pretty hard to 'accidentally' code:

if (q == 'database') {

echo $keys_to_the_castle;

}

So what's the likelihood that it was a back door added during development that was never removed when it went public? Perhaps some smart arse thought "No need to code review the FAQ bit, that's not important"...